The Configuration Console of Sophos Antivirus 9.5.1 (Linux) does not sanitize several input parameters before sending them back to the browser, so an attacker could inject code inside these parameters including JavaScript code